Consumer Financial Protection Bureau: NSA of the Financial World

While the National Security Agency’s (NSA) unconstitutional spying on Americans’ communications has been getting most of the press lately, another federal agency has been quietly — and illegally — vacuuming up Americans’ financial data: the Consumer Financial Protection Bureau (CFPB).

Created by the 2010 Dodd-Frank Act, the CFPB has been operating for just under two years but has already managed to exceed its statutory authority, issuing demands for “huge quantities of data regarding individual consumers’ financial transactions on an ongoing, real-time basis,” according to a June 19 letter to CFPB director Richard Cordray from David Hirschmann of the U.S. Chamber of Commerce’s Center for Capital Markets Competitiveness.

Bloomberg reported in April:

Bureau researchers are assembling data from across the financial landscape, according to a review of government records. Credit-card information from nine banks will be stored and analyzed by Argus Information & Advisory Services LLC, a White Plains, New York-based consultancy that won a $15 million contract for the work, procurement documents show….

As part of a separate industry-wide review, banks are being ordered to provide records of credit-card add-on products including credit monitoring and debt cancellation, according to two people briefed on the matter. And last year, the bureau persuaded banks to submit data on checking-account overdrafts.

Additionally, the CFPB is “buying records from outside the banking industry,” the story continued. It has a contract with an Ireland-based credit-monitoring company for “data on 5 million to 10 million consumers” and another with a Florida-based credit-reporting agency for data on payday loans. The bureau “is also building a mortgage database that will integrate consumer credit information with loan and property records.”

“It’s credible to say that within the next year, CFPB will be the best place for consumer finance data,” the bureau’s assistant director for research, Sendhil Mullainathan, told Bloomberg. “Anybody who wants to do research on consumer finance will want to be there.”

Having all that data in one place — especially when that place belongs to the federal government — is, of course, what concerns many people. The CFPB insists that it “is not obtaining personally identifiable information because an individual’s name and address are not attached to the information received by the Bureau,” Hirschmann wrote. “But the critical question is the extent to which the Bureau has protections in place that will prevent the linkage of this information to an individual’s personal identity.... Neither you [Cordray] nor the Bureau have [sic] given any assurances regarding this extremely important question.”

In fact, all indications are that the bureau is intent on building a database of financial information that can be traced to particular individuals, Hirschmann observed:

We understand that the Bureau is directing at least some credit card issuers to provide — on a real-time, continuous basis — a monthly summary of cardholder transactions on an account-by-account basis. We have heard from companies that the scope may range from dozens to as many as hundreds of pieces of data for each consumer on at least a monthly (and perhaps more frequent) basis.

We also understand that the Bureau either has implemented or is planning to implement a data system that assigns an identifier to each individual and requires all companies submitting data regarding that individual to tag the data with the same identifier (the consumer’s name is not requested). If this is true, it will allow the Bureau to construct a profile of each individual consumer’s financial activities by grouping together all of that consumer’s credit card transactions.

In addition, we are told that the Bureau may be seeking to expand these requests to include additional categories of financial data, such as mortgage or other loan transactions. If the Bureau does take this step, that will enable the Bureau to construct even more detailed profiles of individuals’ financial activities.

All of this is being done with great secrecy on the CFPB’s part, making it all the more worrisome.

“This lack of candor and transparency of what the agency is doing and how it intends to use this personal financial data is troubling,” Sen. Mike Crapo (R-Idaho), ranking member of the Senate Banking Committee, told Cordray during an April 23 hearing. “The bureau was founded with a mission to watch out for American consumers, not to watch them.”

Cordray, naturally, told the committee that Americans have nothing to worry about. “The notion that we’re tracking individual consumers or — or somehow invading their privacy, I think is quite — quite wrong,” he said, likening the CFPB’s data-collection activities to private-sector practices and talking up the bureau’s privacy safeguards.

Others, however, remain unconvinced that the CFPB has adequate safeguards in place. Both the Federal Reserve’s Office of Inspector General and the Government Accountability Office have expressed concerns about the CFPB’s data security in recent months. And, Hirschmann pointed out, “Companies that have inquired about the Bureau’s security procedures in connection with these data demands have also found that those procedures are below the standards in the industry.”

Even if the CFPB’s information security were absolutely airtight, some serious concerns about the bureau’s data mining would still exist.

For one thing, the CFPB’s demands are expensive, time-consuming, and legally treacherous for the businesses on whom they are imposed. The requirements that companies reformat data to the bureau’s specifications and provide it on an ongoing basis “will impose very significant costs” on businesses, Hirschmann maintained. Furthermore, he wrote, should the CFPB’s security fail and cause injury to consumers, those individuals might sue the businesses that supplied the data to the bureau, arguing “that a company violated the law by delivering data to the Bureau that the Bureau had no legal right to obtain.”

Indeed, the very statute that created the CFPB also makes it illegal for the bureau to collect data willy-nilly. The Dodd-Frank Act requires the CFPB to issue an order or regulation specifying the data it is demanding and its justification for doing so. It does not permit the bureau simply to vacuum up data on millions of consumers for any old reason.

The law also says the CFPB may only impose reporting requirements that are “necessary for the Bureau to fulfill” its responsibilities. In his letter, Hirschmann asked “why [the CFPB] cannot rely on the random-sampling approach” used by other agencies instead of seeking comprehensive data.

Some elected officials have taken notice of what columnist George Will termed “the CFPB’s general lawlessness.”

In addition to grilling Cordray during the April hearing, Sen. Crapo sent him a letter on May 16 asking for “a full and thorough legal analysis to ascertain [the CFPB’s] authority to engage in such sweeping collection of consumers’ financial information.”

Sen. Mike Enzi (R-Wyo.) said in a June 18 press release, “The NSA claims it is protecting you from terrorists. The consumer protection bureau claims it’s protecting you from banks. At what point does ‘protection’ become power or control?”

Unfortunately, as much as lawmakers may bluster, there is very little they can do to rein in the CFPB.

“Congress has less control over this agency than the National Security Agency because authors of the bill that created the consumer bureau gave it funding not through Congress, but through the Federal Reserve,” Enzi explained.

Moreover, as Will noted in his column, the CFPB director is appointed by the president for a five-year — but potentially indefinite — term and cannot be removed for policy reasons.

In other words, outside of a court order, there is next to nothing that can stop the CFPB from doing whatever it pleases to whomever it pleases. Chamber of Commerce spokesperson Lisa Burgess told the Daily Caller that the Chamber considers litigation “an act of last resort,” but judging from the charges leveled by Hirschmann, one suspects that last resort is fast approaching.